PCI DSS 4.0. Protect every transaction.
The mandatory standard for anyone handling payment card data. Archaeon maps all 12 requirement families, automates evidence collection, and maintains continuous compliance between annual assessments.
12
Requirement families
250+
Sub-requirements mapped
40%
Faster SAQ completion
PCI DSS
The standard behind every card transaction
PCI DSS is required for any organization that stores, processes, or transmits payment card data. Version 4.0 introduced a customized approach alongside the traditional defined approach, giving organizations flexibility in how they meet security objectives. With over 250 sub-requirements across 12 families, achieving and maintaining compliance demands structured, continuous effort.
What it covers
Twelve requirement families
PCI DSS 4.0 organizes its requirements into six goals and twelve families covering the full scope of cardholder data protection.
Network Security
Install and maintain network security controls and apply secure configurations to all system components. Covers firewalls, segmentation, and hardening standards.
Account Data Protection
Protect stored account data and protect cardholder data with strong cryptography during transmission over open networks.
Vulnerability Management
Protect systems against malicious software and develop and maintain secure systems and software. Covers patching, anti-malware, and secure SDLC.
Access Control
Restrict access by business need-to-know, identify users and authenticate access, and restrict physical access to cardholder data.
Monitoring & Testing
Log and monitor all access to system components and cardholder data. Test security of systems and networks regularly.
Security Policies
Support information security with organizational policies and programs. Covers security awareness, incident response, and risk assessments.
Without automation
PCI DSS non-compliance means losing the ability to process payments
Quarterly vulnerability scans and annual penetration tests generate findings that sit in PDF reports nobody tracks
Findings from scans and pen tests flow directly into your risk register with severity, owner, and remediation tracking
Cardholder data environment scope keeps expanding because nobody maintains a current data flow diagram
Architecture design canvas documents your CDE, data flows, and segmentation controls visually — with security annotations
SAQ completion takes weeks of cross-department coordination to gather evidence from a dozen different systems
Automated evidence collection maps artifacts to PCI DSS requirements. SAQ responses are pre-populated from collected evidence
Compensating controls are documented in Word files with no connection to the requirements they address
Compensating controls link directly to requirements, include risk assessments, and are tracked through the customized approach validation process
How Archaeon helps
PCI DSS compliance, automated
Full v4.0.1 requirement mapping
All 12 requirement families and 250+ sub-requirements pre-mapped with defined and customized approach guidance. Includes the new requirements that became effective March 2025.
CDE scope management
Document your cardholder data environment, data flows, and network segmentation on the architecture design canvas. Maintain living documentation that evolves with your infrastructure.
Vulnerability & scan tracking
Import results from ASV scans, internal vulnerability assessments, and penetration tests. Findings auto-populate your risk register with PCI DSS requirement linkage and remediation tracking.
Evidence collection & SAQ support
Automated evidence collection from infrastructure, access controls, and logging systems. Pre-populate SAQ responses with linked evidence artifacts and control documentation.
Customized approach documentation
If you're using PCI DSS 4.0's customized approach, Archaeon helps document your targeted risk analysis, custom controls, and validation testing for each requirement.
Continuous compliance monitoring
PCI DSS requires ongoing security — not just annual assessments. Continuous monitoring tracks control effectiveness between assessments and alerts on drift.
Ready to automate
PCI DSS compliance?
See how Archaeon maps PCI DSS controls, collects evidence automatically, and keeps you audit-ready year-round.